def get_usb_key_info(key_name): """ Extracts information about the USB keys from the registry :return: A list of USB key IDs """ # HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{a5dcbf10-6530-11d2-901f-00c04fb951ed} str_reg_key_usbinfo = r"SYSTEM\ControlSet001\Control\DeviceClasses\{a5dcbf10-6530-11d2-901f-00c04fb951ed}" # here is a sample of a key_name # ##?#USBSTOR#Disk&Ven_&Prod_USB_DISK_2.0&Rev_PMAP#07BC13025A3B03A1&0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} # the logic is : there are 6 "#" so we should split this string on "#" and get the USB id (index 5) index_usb_id = 5 usb_id = key_name.split("#")[index_usb_id] # now we want only the left part of the which may contain another separator "&" -> 07BC13025A3B03A1&0 usb_id = usb_id.split("&")[0] # next we look in the registry for such an id key_ids = "" reg_key_info = registry_obj.get_registry_key(registry_obj.HKEY_LOCAL_MACHINE, str_reg_key_usbinfo) if reg_key_info: for i in xrange(reg_key_info.get_number_of_sub_keys()): subkey = reg_key_info.get_sub_key(i) if usb_id in subkey.get_name(): # example of a key_info_name # ##?#USB#VID_26BD&PID_9917#0702313E309E0863#{a5dcbf10-6530-11d2-901f-00c04fb951ed} # the pattern is quite similar, a "#" separated string, with 5 as key id and 4 as VID&PID, we need # those 2 index_usb_id = 4 key_ids = subkey.get_name().split("#")[index_usb_id] break return key_ids
def _get_list_from_users_registry_key(self, key_path, is_recursive=True, is_usrclass=False): """ Extracts information from HKEY_USERS. Since logged off users hives are not mounted by Windows, it is necessary to open each NTUSER.DAT files, except for currently logged on users. On Windows Vista and later, HKEY_USERS\ID\Software\Classes is in UsrClass.dat. On Windows Vista and later, shadow copies are used in order to bypass the lock on HKCU. :param key_path: the registry key to list :param is_recursive: whether the function should also list subkeys :return: a list of all extracted keys/values """ hive_list = [] key_users = registry_obj.get_registry_key(registry_obj.HKEY_USERS) if key_users: for i in xrange(key_users.get_number_of_sub_keys()): key_user = key_users.get_sub_key(i) key_data = key_user.get_sub_key_by_path(key_path) if key_data: construct_list_from_key(hive_list, key_data, is_recursive) # same thing for logged off users (NTUSER.DAT, UsrClass.dat) for sid, root_key_ntuser, root_key_usrclass in self.user_hives: if is_usrclass: cur_root_key = root_key_usrclass else: cur_root_key = root_key_ntuser key_data = cur_root_key.get_sub_key_by_path(key_path) if key_data: key_data.prepend_path_with_sid(sid) construct_list_from_key(hive_list, key_data, is_recursive) return hive_list
def init_win_vista_and_above(self): users = registry_obj.get_registry_key( registry_obj.HKEY_LOCAL_MACHINE, r"SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList") drive, p = os.path.splitdrive(self.systemroot) params = {"logger": self.logger} self.vss = _VSS._get_instance(params, drive) if users: for i in xrange(users.get_number_of_sub_keys()): user = users.get_sub_key(i) tmp = user.get_value_by_name("ProfileImagePath").get_data() path = tmp.replace(drive, self.vss._return_root()) + r"\NTUSER.DAT" path_usrclass = tmp.replace(drive, self.vss._return_root( )) + r"\AppData\Local\Microsoft\Windows\\UsrClass.dat" try: regf_file = registry_obj.RegfFile() regf_file.open(path) regf_file_usrclass = registry_obj.RegfFile() regf_file_usrclass.open(path_usrclass) self.user_hives.append( (user.get_name(), regf_file.get_root_key(), regf_file_usrclass.get_root_key())) except IOError: # not a user pass
def init_win_xp(self): users = registry_obj.get_registry_key(registry_obj.HKEY_LOCAL_MACHINE, r"SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList") if users: for i in xrange(users.get_number_of_sub_keys()): user = users.get_sub_key(i) path = user.get_value_by_name("ProfileImagePath").get_data() + r"\NTUSER.DAT" try: regf_file = registry_obj.RegfFile() regf_file.open(path) self.user_hives.append((user.get_name(), regf_file.get_root_key())) except IOError: # user is logged on or not a user pass
def _get_list_from_registry_key(self, hive, key_path, is_recursive=True): """Creates a list of all nodes and values from a registry key path. Keyword arguments: hive -- (String) the hive name key_path -- (String) the path of the key from which the list should be created """ if hive == registry_obj.HKEY_USERS: return self._get_list_from_users_registry_key(key_path, is_recursive) hive_list = [] root_key = registry_obj.get_registry_key(hive, key_path) if root_key: append_reg_values(hive_list, root_key) for i in xrange(root_key.get_number_of_sub_keys()): sub_key = root_key.get_sub_key(i) construct_list_from_key(hive_list, sub_key, is_recursive) return hive_list
def _get_list_from_users_registry_key(self, key_path, is_recursive=True): hive_list = [] key_users = registry_obj.get_registry_key(registry_obj.HKEY_USERS) if key_users: for i in xrange(key_users.get_number_of_sub_keys()): key_user = key_users.get_sub_key(i) key_data = key_user.get_sub_key_by_path(key_path) if key_data: construct_list_from_key(hive_list, key_data, is_recursive) # same thing for logged off users (NTUSER.DAT) for sid, root_key in self.user_hives: key_data = root_key.get_sub_key_by_path(key_path) if key_data: key_data.prepend_path_with_sid(sid) construct_list_from_key(hive_list, key_data, is_recursive) return hive_list
def _get_list_from_registry_key(self, hive, key_path, is_recursive=True): """Creates a list of all nodes and values from a registry key path. Keyword arguments: hive -- (String) the hive name key_path -- (String) the path of the key from which the list should be created """ if hive == registry_obj.HKEY_USERS: return self._get_list_from_users_registry_key( key_path, is_recursive) hive_list = [] root_key = registry_obj.get_registry_key(hive, key_path) if root_key: append_reg_values(hive_list, root_key) for i in xrange(root_key.get_number_of_sub_keys()): sub_key = root_key.get_sub_key(i) construct_list_from_key(hive_list, sub_key, is_recursive) return hive_list
def __init__(self, params): if params["output_dir"] and params["computer_name"]: self.computer_name = params["computer_name"] self.output_dir = params["output_dir"] self.logger = params["logger"] # get logged off users hives self.user_hives = [] users = registry_obj.get_registry_key(registry_obj.HKEY_LOCAL_MACHINE, r"SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList") if users: for i in xrange(users.get_number_of_sub_keys()): user = users.get_sub_key(i) path = user.get_value_by_name("ProfileImagePath").get_data() + r"\NTUSER.DAT" try: regf_file = registry_obj.RegfFile() regf_file.open(path) self.user_hives.append((user.get_name(), regf_file.get_root_key())) except IOError: # user is logged on or not a user pass
def init_win_vista_and_above(self): users = registry_obj.get_registry_key(registry_obj.HKEY_LOCAL_MACHINE, r"SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList") drive, p = os.path.splitdrive(self.systemroot) params = {"logger": self.logger} self.vss = _VSS._get_instance(params, drive) if users: for i in xrange(users.get_number_of_sub_keys()): user = users.get_sub_key(i) tmp = user.get_value_by_name("ProfileImagePath").get_data() path = tmp.replace(drive, self.vss._return_root()) + r"\NTUSER.DAT" path_usrclass = tmp.replace(drive, self.vss._return_root()) + r"\AppData\Local\Microsoft\Windows\\UsrClass.dat" try: regf_file = registry_obj.RegfFile() regf_file.open(path) regf_file_usrclass = registry_obj.RegfFile() regf_file_usrclass.open(path_usrclass) self.user_hives.append( (user.get_name(), regf_file.get_root_key(), regf_file_usrclass.get_root_key())) except IOError: # not a user pass
def _get_list_from_users_registry_key(self, key_path, is_recursive=True): """ Extracts information from HKEY_USERS. Since logged off users hives are not mounted by Windows, it is necessary to open each NTUSER.DAT files, except for currently logged on users. :param key_path: the registry key to list :param is_recursive: whether the function should also list subkeys :return: a list of all extracted keys/values """ hive_list = [] key_users = registry_obj.get_registry_key(registry_obj.HKEY_USERS) if key_users: for i in xrange(key_users.get_number_of_sub_keys()): key_user = key_users.get_sub_key(i) key_data = key_user.get_sub_key_by_path(key_path) if key_data: construct_list_from_key(hive_list, key_data, is_recursive) # same thing for logged off users (NTUSER.DAT) for sid, root_key in self.user_hives: key_data = root_key.get_sub_key_by_path(key_path) if key_data: key_data.prepend_path_with_sid(sid) construct_list_from_key(hive_list, key_data, is_recursive) return hive_list